IN THE CLAIMS 



Please replace any previous listing of the claims with the following 
replacement listing of the claims: 

Replacement Listing of the Claims 

1 . (Currently amended) A method for tracing a denial-of-service attack on 
a victim machine back towards its source, comprising steps of: 

operating a traceback program on at least one path to receive two input 
parameters, (a) an IP address (v) of the victim machine and (b) an IP 
address (r) of a router that is immediately upstream of the victim machine; 

determining a set of routers that are neighbors (n) of r; 

for each neighbor n of r, determining if r is n's next-hop for traffic 
addressed to v, or to a network that v is on, where node n's next-hop for 
traffic addressed to v is the IP address of the node that n will forward a 
packet to if the destination address in the packet is v; 

if r is not n's next-hop for traffic addressed to v, skip over n and query the 
next neighbor of r, while if r is n's next-hop for traffic addressed to v, 
determining an amount of traffic that n is forwarding to r that is addressed 
to v; afl4 

afte Fbased on the determined amounts of traffic of said neighbors. 
determining the identity of the neighbor n of r that is the principal source of 
packets flowing to r that are addressed to v^ 
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continuing one node further upstream from the determined neighbor n of r 
that is the principal source of packets flowing to r that are addressed to v T ; 
and 

continuing to traceback through interconnected routers until a source of 
denial-of-service attack packets to v is determined or until further 
traceback is not possible. 

2. (Original) A method as in claim 1, wherein the step of determining the 
set of neighbors comprises a step of sending at least one query to r to obtain 
information from a MIB that stores IP addresses of routers that are neighbors of 
r. 

3. (Original) A method as in claim 1 , wherein the step of determining if r is 
n's next-hop for traffic addressed to v comprises a step of sending at least one 
query to router n. 

4. (Original) A method as in claim 3, wherein the step of sending at least 
one query queries an IP Forwarding Table MIB of router n. 

5. (Original) A method as in claim 1 , wherein the step of determining an 
amount of traffic comprises a step of sending at least one message to a neighbor 
router n for determining a count of packets that router n is sending to router r that 
are addressed to v or to a network on which v resides. 

6. (Original) A method as in claim 1 , and further comprising a step of 
establishing a black hole host route to v as close as is possible to the source of 
the denial-of-service attack packets. 

7. (Original) A method as in claim 1 , and further comprising a step of 
establishing a special host route to v using the same next hop as an existing 
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route, the special host route tracking changes in the existing route such that 
when a next hop for the existing route changes, the next hop for the host route 
changes similarly. 

8. (Original) A method as in claim 1 , and further comprising a step of 
establishing a rate-limit for packets addressed to v as close as is possible to the 
source of the denial-of-service attack packets. 

9. (Currently amended) A backtracking unit for tracing a denial-of-service 
attack on a victim machine back towards its source or sources, comprising a data 
processor responsive to a traceback computer program stored on a computer- 
readable media for receiving a first input parameter of an IP address (v) of the 
victim machine and a second input parameter of an IP address (r) of a router that 
is immediately upstream of the victim machine, said traceback computer program 
controlling operation of said data processor to determine a set of routers that are 
neighbors (n) of r and, for each neighbor n of r, to determine if r is n's next-hop 
for traffic addressed to v, where node n's next-hop for traffic addressed to v is the 
IP address of the node that n will forward a packet to if the destination address in 
the packet is v, said traceback computer program further controlling operation of 
said data processor for the case where r is not n's next-hop for traffic addressed 
to v, to skip over n and to query the next neighbor of r, while for the case where r 
is n's next-hop for traffic addressed to v, to determine an amount of traffic that n 
is forwarding to r that is addressed to v, and aft e r based on the determined 
amounts of traffic of said neighbors, determining the identity of the neighbor n of r 
that is the principal source of packets flowing to r that are addressed to v or to a 
network to which v is connected, for continuing further upstream from the 
determined neighbor n of r that is the principal source of packets flowing to r that 
are addressed to v to continue to traceback through interconnected routers until 

a source of denial-of-service attack packets to v is determined, or until further 
traceback is not possible. 
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10. (Original) A backtracking unit as in claim 9, wherein said data 
processor operates to send at least one query to r to obtain information from a 
MIB that stores IP addresses of routers that are neighbors of r. 

11. (Original) A backtracking unit as in claim 9, wherein said data 
processor operates to send at least one query to an IP Forwarding Table MIB of 
router n. 

12. (Original) A backtracking unit as in claim 9, wherein said data 
processor, while determining an amount of traffic that n is forwarding to r that is 
addressed to v, operates under control of said traceback computer program to 
send at least one message to at least one neighbor router n to determine a count 
of packets that router n is sending to router r that are addressed to v or to the 
network to which v is connected. 

13. (Original) A backtracking unit as in claim 9, wherein said data 
processor further operates to establish a black hole host route to v as close as is 
possible to the source of the denial-of-service attack packets. 

14. (Original) A backtracking unit as in claim 9, wherein said data 
processor further operates to establish a special host route to v using the same 
next hop as an existing route, the special host route tracking changes in the 
existing route such that when a next hop for the existing route changes, the next 
hop for the host route changes similarly. 

15. (Original) A backtracking unit as in claim 9, wherein said data 
processor further operates to establish a rate-limit for packets addressed to v as 
close as is possible to the source of the denial-of-service attack packets. 
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16. (Previously presented) A method for determining an identity of a 
source of undesirable packets received from a data communications network, 
comprising steps of: 

operating a traceback function to receive at least one input parameter, 
namely a network address (v) of a first device receiving the undesirable 
packets; 

determining a set of network routers that are neighbors (n) of a network 
router (r) that is coupled to a second device immediately upstream of the 
first device; and 

querying individual ones of packet routers in order to determine a packet 
router that is a largest source of packets addressed to v via r, or to a 
network to which v is connected, and continuing to query packet routers 
up through a hierarchy of interconnected packet routers until an identity of 
a source of the undesirable packets is discovered or until further 
backtracking is not possible. 

17. (Original) A method as in claim 16, wherein the steps of determining 
and querying each comprise a step of sending queries to the data 
communications network. 

18. (Original) A method as in claim 16, wherein the step of querying 
comprises steps of: 

sending a first network message to a packet router for instructing the 
packet router to determine a number of packets that it is sending 
addressed to v; and 
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sending a second network message to the packet router to query the 
packet router for the determined number. 

19. (Original) A method as in claim 16, wherein the step of querying 
comprises a step of sending at least one message to a packet router for 
determining a number of packets being forwarded to or towards v. 

20. (Original) A method as in claim 16, and further comprising a step of 
establishing at least one of a black hole host route to v as close as is possible to 
the source of the undesirable packets, establishing a special host route to v using 
the same next hop as an existing route, the special host route tracking changes 
in the existing route such that when a next hop for the existing route changes, the 
next hop for the host route changes similarly, and establishing a rate-limit for 
packets addressed to v as close as is possible to the source of the denial-of- 
service attack packets. 

21 . (Original) A method as in claim 16, wherein the step of operating the 
traceback function operates the traceback function on a plurality of selected 
paths, wherein a particular path is selected based at least on an amount of traffic 
flowing through the path. 

22. (Currently amended) A method for tracing a denial-of-service attack on 
a victim machine back towards its source, comprising steps of: 

operating a traceback program on at least one path to receive two input 
parameters, (a) an IP address (v) of the victim machine and (b) an IP 
address (r) of a router that is immediately upstream of the victim machine; 

determining a set of routers that are neighbors (n) of r; 
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for each neighbor n of r, determining if r is n's next-hop for traffic 
addressed to v, or to a network that v is on, where node n's next-hop for 
traffic addressed to v is the IP address of the node that n will forward a 
packet to if the destination address in the packet is v; 

if r is not n's next-hop for traffic addressed to v, skip over n and query the 
next neighbor of r, while if r is n's next-hop for traffic addressed to v, 
determining an amount of traffic that n is forwarding to r that is addressed 
to v by sending at least one message to a neighbor router n for 
determining a count of packets that router n is sending to router r that are 
addressed to v or to a network on which v resides; 

after -based on the determined counts of packets of said neighbors n. 
determining the identity of the neighbor n of r that is the principal source of 
packets flowing to r that are addressed to v, continuing one node further 
upstream from the determined neighbor n of r that is the principal source 
of packets flowing to r that are addressed to v, and continuing to traceback 
through interconnected routers until a source of denial-of-service attack 
packets to v is determined or until further traceback is not possible; and 

establishing a black hole host route to v as close as is possible to the 
source of the denial-of-service attack packets. 

23. (Previously presented) The method as in claim 22, wherein the step of 
operating the traceback function operates the traceback function on a plurality of 
selected paths, wherein a particular path is selected based at least on an amount 
of traffic flowing through the path. 
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